SOC Prime Risk Bounty —  November 2022 Outcomes | Origin Tech

November ’22 Posts

Over the previous month, members of the Risk Bounty group have submitted 433 guidelines for publication on the SOC Prime platform. A number of guidelines have been routinely rejected on the automated checks stage as a result of construction, syntax, logic, or content material duplication errors and weren’t submitted for evaluate by SOC Prime consultants. In November, 123 detections handed the SOC Prime evaluate and have been printed on the Platform for monetization.

Discover detections

For extra data on the widespread cause for publication rejection and the principle acceptance standards, see the SOC TOP THREAT BOUNTY: OCTOBER 2022 RESULTS.

To make sure that your content material qualifies for publication on the Platform via the Risk Bounty Program, we advocate that you just analysis present content material on the SOC Prime Platform utilizing Lucene Question Search and take note of the naming guidelines, descriptions, and references to sources, and MITER ATT&CK® related labels. Please observe that Sigma guidelines which are totally primarily based on alerts from different safety options usually are not accepted for publication via the Risk Bounty Program. Additionally, when creating the rule, it’s important that the authors make the modifications and enhancements steered by the automated verification primarily based on the solutions supplied.

Sigma Guidelines Bot for Risk Bounty

the Sigma Guidelines Roboticactively utilized by superior Risk Bounty content material builders, it’s formally launched to the Slack app listing. With the Sigma Guidelines Bot, members of the Risk Bounty group can create guidelines instantly in Slack, take a look at them for widespread points, together with syntax errors and uniqueness of detection logic, and submit the foundations for evaluate by SOC Prime. Whereas the SOC Prime evaluate, which is a required step to publish guidelines on the Platform for monetization, SOC Prime consultants can now talk with the content material creator by way of the Slack Bot by opening a chat linked to a steered Sigma rule. particular.

Sigma Guidelines Bot supplies a straightforward and seamless approach to improve and monetize detection engineering expertise by publishing distinctive menace detection Sigma guidelines on the SOC Prime platform. Watch the step-by-step information for extra particulars.

primary authors

Risk Bounty detections printed by these authors have been ranked highest on the Risk Detection Market:

Nattatorn Chuensangarun

osman demir

Sittikorn Sangrattanapitak

Kyaw Pyiyt Htet

emir erdoğan

The typical Risk Bounty payout for November is $1,647.

high rated content material

Suspicious operation of Black Basta Ransomware from FIN7 by detection of related occasions (by way of Registry_key) Kyaw Pyiyt Htet (Mik0yan) Risk Searching Sigma rule detects persistent registry execution keys utilized by FIN7’s Black Basta ransomware operation.

Potential preliminary entry by Text4Shell template injection [CVE-2022-42889] (by way of proxy) Kyaw Pyiyt Htet’s (Mik0yan) menace searching Sigma rule detects key phrases within the URI subject of HTTP requests which are identified for use to use the Text4Shell vulnerability. Watch the Article for extra data.

Potential Black-Basta assault [QakBot] (November 2022) Lateral motion exercise by related course of detection (by way of process_creation) The Zaw Min Htun (ZETA) Risk Searching Sigma rule detects the execution of the Cobalt Strike payload with the Black Basta rundll32.exe SetVolume instructions. The menace actor leveraging Qakbot and a doubtlessly widespread marketing campaign run by Black Basta operators.

Potential Toneshell backdoor persistence by detecting related scheduled duties (by way of process_creation) Aytek Aytemur’s Risk Searching Sigma Rule detects the suspicious creation of scheduled duties to ascertain persistence utilizing Toneshell Backdoor, which partnered with Earth Preta APT Group.

Potential Qbot malware amassing information by utilizing the OpenWith course of with Follina Exploit [CVE-2022-30190] (by way of process_creation) Nattatorn Chuensangarun’s Risk Searching Sigma Rule detects suspicious Qbot malware exercise by utilizing the OpenWith course of to gather information by way of Follina Exploit Vulnerability – CVE-2022-30190.

Code the trail to your confirmed cybersecurity experience with SOC Prime Risk Bounty Program and earn cash with your individual detection guidelines printed to the detection platform as code.